PDA

View Full Version : Google search links hijacked


Tcatomon
2010-11-29, 05:47
Anytime I search in Google all the hover link addresses are switched to www.google.com/? followed by a string of random numbers that direct to random pages once you click on them. I made the stupid mistake of uninstalling Firefox and it pulls up some java script error anytime I open it after I reinstall and wont open (It's probably related to this I'm guessing e_e).
All the rules on this site have changed since the last time I was here, so I hope I haven't missed anything that I should have done in the meantime.

Before I came here I ran ATF-cleaner and CCleaner. Spyboy found a Vundo regestry key which I cleaned out, but VundoFix and Malwarebytes (deep scan) has found nothing and it's still doing the link issue. Combofix wont work on 64 bit Vista either, otherwise I probably wouldn't be posting here right now :|

DDS (Ver_10-11-27.01) - NTFS_AMD64
Run by Administrator at 22:40:51.40 on Sun 11/28/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3837.2565 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\STacSV64.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Users\Administrator\AppData\Local\TVersity\Media Server\MediaServer.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Users\Administrator\AppData\Local\cleanmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
mRun: [NWEReboot]
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
mRun: [cleanmgr] C:\Users\Administrator\AppData\Local\cleanmgr.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
uPolicies-system: WRP = 0 (0x0)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll
mRun-x64: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
AppInit_DLLs-X64: avgrssta.dll

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;C:\WINDOWS\System32\drivers\PxHlpa64.sys [2010-1-17 52664]
R1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\WINDOWS\System32\drivers\avgldx64.sys [2009-1-22 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\WINDOWS\System32\drivers\avgmfx64.sys [2009-1-22 35536]
R1 AvgTdiA;AVG8 Network Redirector;C:\WINDOWS\System32\drivers\avgtdia.sys [2009-1-29 317520]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 27648]
R2 avg9wd;AVG Free WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-7-15 308136]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\WINDOWS\SMINST\BLService.exe [2008-6-10 341328]
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\System32\Wacom_Tablet.exe [2009-9-24 3647272]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2009-1-22 24652]
R3 enecir;ENE CIR Receiver;C:\WINDOWS\System32\drivers\enecir.sys [2008-1-24 60928]
R3 JMCR;JMCR;C:\WINDOWS\System32\drivers\jmcr.sys [2008-4-11 125328]
S2 gupdate1c9862e6d8b02be;Google Update Service (gupdate1c9862e6d8b02be);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-2-3 133104]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-29 93184]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\WINDOWS\System32\drivers\Maypro.sys [2009-2-22 25120]
S3 PerfHost;Performance Counter DLL Host;C:\WINDOWS\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 VCR2PC;VCR2PC Analog Capture;C:\WINDOWS\System32\drivers\0140_ION.sys [2010-9-17 301504]
S3 wacmoumonitor;Wacom Mode Helper;C:\WINDOWS\System32\drivers\wacmoumonitor.sys [2009-9-24 18216]
S4 AESTFilters;Andrea ST Filters Service;C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_5d1a7764\AESTSr64.exe [2009-1-23 86016]
S4 hpsrv;HP Service;C:\WINDOWS\System32\hpservice.exe [2008-3-18 23040]

=============== File Associations ===============

JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
VBEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-11-29 03:10:32 -------- d-----w- C:\VundoFix Backups
2010-11-29 02:17:37 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-11-29 01:43:48 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\TeamViewer
2010-11-29 00:24:22 388096 ----a-r- C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-27 19:45:40 12288 --sh--w- C:\Users\ADMINI~1\AppData\Local\cleanmgr.dll
2010-11-27 19:45:39 62976 --sh--w- C:\Users\ADMINI~1\AppData\Local\cleanmgr.exe
2010-11-27 02:31:27 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\Malwarebytes
2010-11-27 02:31:18 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-27 02:31:16 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-27 02:31:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-27 01:59:57 192 ----a-w- C:\Users\ADMINI~1\AppData\Roaming\aswhj.bat
2010-11-27 01:59:55 26112 ----a-w- C:\Windows\SysWow64\dll.dll
2010-11-10 05:41:36 1409 ----a-w- C:\Windows\QTFont.for

==================== Find3M ====================

2010-10-01 16:23:01 28672 ----a-w- C:\Windows\SysWow64\qttask.exe
2009-05-15 02:02:10 3392872 ----a-w- C:\Program Files (x86)\Common Files\adlmint_libFNP.dll
2009-05-15 02:02:10 3298152 ----a-w- C:\Program Files (x86)\Common Files\adlmint.dll
2000-12-20 22:03:00 536064 ----a-w- C:\Program Files (x86)\GIFAnimator.exe
2006-05-03 09:06:54 163328 --sh--r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- C:\Windows\SysWOW64\nbDX.dll

============= FINISH: 22:41:36.32 ===============

(edit) Updated my Spybot since I noticed DDS said it was outdated. No dice, still claims it's clean.
Blade81
2010-12-04, 13:18
Hi,

Please download MBRCheck (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.

----


Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
Blade81
2010-12-10, 16:21
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.